1. Executive Summary
CERT/CC published Vulnerability Note VU#221883 on 2026-03-30, disclosing four vulnerabilities in CrewAI, the open-source multi-agent orchestration framework (CERT/CC VU#221883). The vulnerabilities are not independent, internet-facing bugs; they form a chainable cluster whose entry point is prompt injection into an agent with the Code Interpreter Tool enabled. An attacker who achieves influence over such an agent — via direct input or indirect prompt injection through any content the agent retrieves and processes — can chain the four vulnerabilities to read arbitrary files from the host, issue server-side requests to internal network services including cloud instance metadata, and ultimately execute arbitrary operating system commands.
CERT/CC stated in their Solution section at the time of disclosure: "At the time of writing, no complete patch is available for all disclosed vulnerabilities." (CERT/CC VU#221883). The latest stable release, crewai 1.13.0 (published 2026-04-02), does not reference any of the four CVEs in its PyPI release metadata, corroborating CERT/CC's coordinator assessment. Note: RAXE did not perform a source code audit of 1.13.0; the no-fix assessment rests on CERT/CC's statement and the absence of CVE references in the PyPI release metadata (CERT/CC VU#221883, PyPI). The vendor acknowledged the two remote code execution components (CVE-2026-2275, CVE-2026-2287) but left the SSRF (CVE-2026-2286) and arbitrary file read (CVE-2026-2285) components at "Unknown" status in the advisory (CERT/CC VU#221883).
Organisations running CrewAI agents with Code Interpreter Tool enabled and any exposure to attacker-influenced input should treat CERT/CC's mitigation recommendations as non-optional pending a confirmed fix.
2. Affected Product
| Field | Value |
|---|---|
| Package | crewai (PyPI — https://pypi.org/project/crewai/) |
| Latest stable at time of writing | 1.13.0 (published 2026-04-02) |
| Fixed version | None confirmed as of 2026-04-05 |
| Security fix in 1.13.0 | None identified — the PyPI project page and release metadata for 1.13.0 do not reference any of the four CVEs. Source code inspection was not performed; the absence of a fix is corroborated by CERT/CC's Solution section rather than by a RAXE source code audit (CERT/CC VU#221883, PyPI) |
| GHSA advisories | Four unreviewed advisories published in the GitHub Advisory Database (GHSA-5w94-5wxp-rc42, GHSA-85jf-9mcx-32r5, GHSA-pgf5-gw7r-wxg7, GHSA-mgj5-c563-6f76); none contain package ecosystem mapping, version data, or proof-of-concept code as of 2026-04-05 |
| Public PoC | No proof-of-concept code identified in any advisory, registry, or public repository as of 2026-04-05 (CERT/CC VU#221883) |
3. CVE Cluster Overview
CERT/CC VU#221883 characterises the four vulnerabilities as a cluster whose components become most impactful in combination. All CVSS scores below are CISA-ADP assessed figures sourced from NVD advisory records; NVD Primary analysis is not yet complete for any of the four CVEs as of 2026-04-05. The scores should be understood as CISA-ADP assessed, not NVD-analysed.
Note on CVSS score provenance. CVSS scores for all four CVEs were enriched by CISA through the Authorised Data Publisher (ADP) vulnrichment programme (source UUID 134c704f) and appear as Secondary type in NVD. They are not scores submitted by the CNA, which is CERT/CC (cve@cert.org). CERT/CC coordinated the disclosure but did not publish CVSS scores; the scoring attribution throughout this advisory is therefore CISA-ADP assessed.
| CVE | CVSS v3.1 (CISA-ADP assessed) |
Severity | Vector | CWE | Mechanism |
|---|---|---|---|---|---|
CVE-2026-2275 |
9.6 | CRITICAL | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
CWE-749 |
CodeInterpreterTool sandbox fallback RCE (init) |
CVE-2026-2285 |
7.5 | HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
— | JSON loader arbitrary file read |
CVE-2026-2286 |
9.8 | CRITICAL | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
— | RAG search tools SSRF |
CVE-2026-2287 |
9.8 | CRITICAL | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
— | Docker runtime fallback RCE |
The highest CISA-ADP assessed CVSS score in the cluster is 9.8 CRITICAL, shared by CVE-2026-2286 and CVE-2026-2287. This represents the individual score for those CVEs, not an aggregate cluster score. CVE-2026-2275 carries a distinct score of 9.6 CRITICAL with a UI:R element; Section 4.1 explains the significance of that distinction.
EPSS scores as of 2026-04-04 (FIRST.org EPSS):
| CVE | EPSS Score | Percentile |
|---|---|---|
CVE-2026-2275 |
0.039% |
11.9th |
CVE-2026-2285 |
0.054% |
17.0th |
CVE-2026-2286 |
0.041% |
12.7th |
CVE-2026-2287 |
0.043% |
13.2nd |
EPSS scores are low, consistent with a freshly published advisory with no confirmed in-the-wild exploitation at the time of data collection. RAXE assesses that these scores are expected to rise as the advisory receives wider attention and if weaponisation is observed (FIRST.org EPSS).
4. Technical Analysis
4.1 CVE-2026-2275: CodeInterpreterTool Sandbox Fallback RCE at Initialisation (CVSS 9.6, CRITICAL, UI:R)
NVD description: "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling." (CVE-2026-2275)
CrewAI's Code Interpreter Tool is designed to execute agent-generated code inside a Docker container. When Docker is not reachable at the time the tool initialises, the tool falls back to a SandboxPython (RestrictedPython) execution environment. The vendor confirmed in their CERT/CC statement that the ctypes module is absent from the BLOCKED_MODULES list in this fallback environment (CERT/CC VU#221883): "CrewAI acknowledges that the ctypes module is not included in the BLOCKED_MODULES list for the SandboxPython fallback environment in CodeInterpreterTool. This oversight allows sandbox escape when Docker is unavailable."
The ctypes module exposes Python-to-C boundary crossing. Code executing inside SandboxPython can import ctypes and invoke C library functions — including libc.system() — directly on the underlying host operating system, crossing the security boundary that the sandbox is intended to enforce. This is classified as CWE-749 (Exposed Dangerous Method or Function) (CVE-2026-2275).
CVSS UI:R framing. The UI:R (user interaction required) element of CVE-2026-2275's vector requires careful interpretation. It does not mean an end-user must click a browser link. RAXE assesses that UI:R reflects the operator's act of enabling the Code Interpreter Tool via allow_code_execution=True, which is the deployment decision that brings this vulnerability into scope. CERT/CC VU#221883 confirms that "exploitation requires an agent with the Code Interpreter Tool enabled and attacker influence via direct or indirect prompt injection." Once the tool is deployed, exploitation requires only prompt injection — which can be indirect — with no further operator interaction. CVE-2026-2275 should not be characterised as fully zero-interaction; the CVSS 9.6 score nonetheless places it firmly in CRITICAL severity territory.
The vendor acknowledged affected status for this CVE and stated intent to add ctypes and related modules to BLOCKED_MODULES. No fixed version has been released as of 2026-04-05 (CERT/CC VU#221883; PyPI).
4.2 CVE-2026-2285: JSON Loader Arbitrary File Read (CVSS 7.5, HIGH)
NVD description: "CrewAI contains an arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server." (CVE-2026-2285)
The JSON loader tool accepts file path arguments without validating that the supplied path falls within an expected directory boundary. An attacker who achieves prompt injection can direct the agent to invoke the JSON loader with an arbitrary path, returning the contents of any file readable by the CrewAI process through the agent's tool output.
This vulnerability is exploitable independently of Docker configuration: it does not require Code Interpreter Tool to be enabled and is not neutralised by running CrewAI inside Docker. Its CVSS vector (PR:N/UI:N) reflects that no privilege or user interaction is required beyond achieving prompt injection (CVE-2026-2285). Vendor status in CERT/CC VU#221883 is "Unknown"; no vendor statement has been issued for this CVE as of 2026-04-05 (CERT/CC VU#221883).
4.3 CVE-2026-2286: RAG Search Tools SSRF (CVSS 9.8, CRITICAL)
NVD description: "CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime." (CVE-2026-2286)
The Retrieval-Augmented Generation (RAG) search tools accept caller-controlled URLs at runtime without applying any allow-list or deny-list validation. An attacker who achieves prompt injection can direct the agent to supply an internal or link-local URL as the search target, causing the CrewAI host process to issue an outbound HTTP request to that address.
In cloud-hosted deployments, RAXE assesses the primary exploitation target as the instance metadata service (IMDS). For AWS deployments, a request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ returns the temporary IAM access keys associated with the instance role, enabling lateral movement into any AWS service that role can reach. This assessment is based on standard SSRF attack taxonomy applied to the CERT/CC-confirmed absence of URL validation; no cloud-specific testing was performed. Other candidate targets include internal APIs, service discovery endpoints, and administrative panels restricted to the server's own network range. Vendor status for this CVE is "Unknown" in CERT/CC VU#221883 (CERT/CC VU#221883).
This CVE is exploitable independently of Docker configuration and does not require Code Interpreter Tool to be enabled.
4.4 CVE-2026-2287: Docker Runtime Failure Leading to Unsafe Sandbox Fallback RCE (CVSS 9.8, CRITICAL)
NVD description: "CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation." (CVE-2026-2287)
This CVE is distinct from CVE-2026-2275, which concerns Docker unavailability at initialisation. CVE-2026-2287 concerns runtime continuity. An operator may deploy CrewAI with Docker running and the Code Interpreter Tool initialising successfully — satisfying the precondition that prevents CVE-2026-2275 from triggering at startup — but if the Docker daemon subsequently crashes or is stopped during operation, the _check_docker_available() method fails silently and the tool reverts to the unsafe SandboxPython fallback mid-execution (CERT/CC VU#221883). This creates an additional exploitation window that persists even in deployments initially running with Docker.
The CVSS UI:N element distinguishes this CVE from CVE-2026-2275 (which carries UI:R). The fallback to unsafe execution occurs automatically when the daemon becomes unavailable, without any subsequent operator action. The vendor acknowledged affected status and stated remediation intent (CERT/CC VU#221883):
"We are evaluating the following changes: - Adding a configuration option to fail closed rather than fall back to sandbox - Providing clearer runtime warnings when falling back to sandbox mode"
No fixed version has been released as of 2026-04-05 (PyPI).
5. Attack Chain (RAXE Assessment)
The following describes the primary exploitation chain as assessed by RAXE from CERT/CC VU#221883 and NVD advisory data. Sections drawing on RAXE analysis rather than directly attributed advisory language are labelled as RAXE assessments.
Full chain preconditions: Code Interpreter Tool enabled (allow_code_execution=True); Docker unavailable at initialisation or made unavailable during operation; agent exposed to attacker-influenced input.
| Step | CVE | Primitive | CVSS (CISA-ADP assessed) | Notes |
|---|---|---|---|---|
| 1. Entry | — | Prompt injection into Code Interpreter-enabled agent | — | Direct or indirect; entry point is the agent's input stream |
| 2. Reconnaissance | CVE-2026-2285 |
Arbitrary file read via JSON loader | 7.5 HIGH | Returns credential files, environment variables, SSH keys |
| 3. Credential theft | CVE-2026-2286 |
SSRF via RAG search tools | 9.8 CRITICAL | IMDS, internal APIs, lateral network probing |
| 4a. Code execution | CVE-2026-2275 |
ctypes RCE via SandboxPython fallback at init | 9.6 CRITICAL | Docker absent at startup |
| 4b. Code execution | CVE-2026-2287 |
ctypes RCE via SandboxPython fallback at runtime | 9.8 CRITICAL | Docker becomes absent during operation |
Steps 2, 3, and 4a/4b can be executed in any order following successful prompt injection. Steps 2 and 3 are independent of Docker configuration and of each other. Steps 4a and 4b represent alternative paths to the same RCE outcome, differing only in whether Docker is absent at startup or becomes absent during operation.
RAXE assessment of exploitation realism. Indirect prompt injection — embedding adversarial instructions in a document, web page, or external data source that the agent retrieves and processes — is the most realistic entry vector in production deployments where direct agent input is operator-controlled. Deployments that allow agents to retrieve and process external content without input filtering are the primary exposure population. No public proof-of-concept code has been identified (CERT/CC VU#221883), which currently limits the attacker population to those who can independently derive the technique from the advisory. RAXE assesses that EPSS scores will rise as attacker awareness of the advisory increases.
Deployments not exposed to the RCE components. Deployments running CrewAI entirely within Docker with Code Interpreter Tool disabled are not exposed to CVE-2026-2275 or CVE-2026-2287. CVE-2026-2285 (file read) and CVE-2026-2286 (SSRF) remain exploitable in any deployment where prompt injection is achievable and the respective tools are accessible to agents.
6. Structural Context
This cluster represents a failure mode that is structural to the agentic AI security surface rather than a conventional software defect. The root design assumption — that a safe execution environment (Docker) is reliably present and remains so throughout operation — is not hardened with fail-closed behaviour. When that assumption is violated, silently, the framework downgrades to an unsafe execution environment without raising an error or halting the operation.
The vendor's partial response is itself instructive. They acknowledged the two RCE components (CVE-2026-2275 and CVE-2026-2287) and provided vendor statements, but left the SSRF and file read components at "Unknown" status. CERT/CC, in its coordinator role, independently reclassified both RCE issues to "Affected" based on its own assessment, diverging from the vendor's initial posture (CERT/CC VU#221883).
RAXE notes a structural parallel with a prior finding in this stream: a separate advisory for a different AI/ML framework concerned a framework default enabling code execution through the model loading surface. In that case, as here, the unsafe behaviour was a "fail-open" design choice that became exploitable when an attacker could influence the AI/ML control plane. Both patterns reflect the same underlying risk class: agentic and ML frameworks that prioritise functionality continuity over security hardening when environmental assumptions break.
The disclosure timeline is also notable. crewai 1.13.0 was published on 2026-04-02 — three days after CERT/CC published VU#221883 on 2026-03-30 — with no CVE references in its PyPI release metadata (PyPI). The exposure window opened on advisory publication and remains open indefinitely until a patched release is confirmed.
7. Key Assumptions and Caveats (KAC)
| Ref | Assumption | Confidence | Impact if Wrong |
|---|---|---|---|
| K1 | No complete patch exists for all four CVEs as of 2026-04-05 | HIGH — confirmed by CERT/CC Solution section statement and absence of CVE references in crewai 1.13.0 PyPI release metadata | Patch status requires revision |
| K2 | crewai 1.13.0 does not address any of the four CVEs | MEDIUM — PyPI release metadata for 1.13.0 contains no CVE references; source code inspection was not performed; assessment corroborated by CERT/CC Solution section | Technical descriptions may require revision if a silent fix was included |
| K3 | The ctypes module remains absent from BLOCKED_MODULES in crewai 1.13.0 |
MEDIUM — vendor acknowledged the gap and stated fix is in an upcoming release; source code inspection of 1.13.0 not performed; could have been silently patched | CVE-2026-2275 and CVE-2026-2287 descriptions require revision if already patched at source level |
| K4 | No public PoC code exists as of advisory date | HIGH — NVD references no PoC; four unreviewed GHSAs exist but contain no PoC code or version data; no public exploit repositories identified (CERT/CC VU#221883) | Threat imminence assessment requires upward revision if PoC emerges |
| K5 | EPSS scores reflect low exploitation probability as of data collection date | HIGH — sourced directly from FIRST.org EPSS API on 2026-04-04 (FIRST.org EPSS) | Imminence assessment requires revision on observed exploitation |
| K6 | CVE-2026-2285 and CVE-2026-2286 vendor status remains "Unknown" |
HIGH — verified in CERT/CC VU#221883, last updated 2026-03-30 | Vendor response section requires revision if statements emerge |
8. Competing Hypotheses
RAXE applied Analysis of Competing Hypotheses (ACH) across three positions:
Primary hypothesis (HIGH confidence). CrewAI deployments with Code Interpreter Tool enabled and exposure to untrusted input are at material risk of the full RCE chain. The combination of silent fallback to an unsafe execution environment, absent input validation across multiple tools, and the LLM-mediated control plane creates compound risk greater than the sum of its parts.
Alternative hypothesis — partial containment (MEDIUM confidence). Risk may be partially contained in practice if operators routinely run CrewAI within Docker with allow_code_execution disabled. CERT/CC's mitigations explicitly recommend this configuration, which neutralises the RCE components. The SSRF (CVE-2026-2286) and file read (CVE-2026-2285) components remain exploitable regardless of Docker configuration.
Competing hypothesis — low immediate threat (LOW confidence). Because EPSS scores are uniformly below 0.1% and no in-the-wild exploitation has been reported as of the advisory date, the immediate operational threat may be lower than the CISA-ADP assessed CVSS scores imply (RAXE assessment). The absence of public PoC code and the prompt injection precondition limit the current attacker population. RAXE holds this hypothesis at low confidence because the advisory is public, the attack chain is derivable from the disclosure, and the absence of a complete patch means the exposure window is indefinite.
9. Detection Guidance
RAXE has produced four Sigma rules and two YARA rules for this finding (TLP:GREEN). Detection is organised into two tiers.
Tier 1 — Precondition Detection (Deploy Immediately)
Sigma Rule 001 — SandboxPython Fallback Triggered (CVE-2026-2275/2287, CRITICAL).
Detects process-level indicators of the Code Interpreter Tool falling back to SandboxPython — the unsafe execution environment that enables RCE. A match confirms the fallback precondition is met; it does not confirm exploitation, but confirms the system is in the vulnerable execution state. Log sources: auditd EXECVE, eBPF process monitors (Falco, Tetragon), EDR process telemetry.
YARA Rule 001 — allow_code_execution Configuration Audit (CVE-2026-2275/2287, CRITICAL).
Scans Python source files, YAML/JSON/TOML configuration files, and container images for allow_code_execution=True in a CrewAI context. Identifies deployments where the RCE precondition is met at the configuration level. Suitable for CI/CD pre-merge checks. Lane 2 (vulnerability-informed).
Tier 2 — Exploitation Indicators
Sigma Rule 002 — ctypes Import in Code Interpreter Context (CVE-2026-2275/2287, CRITICAL).
Detects ctypes import or direct C library call patterns in a subprocess with a CrewAI parent process. A ctypes import in Code Interpreter-generated code has no legitimate purpose in any production CrewAI deployment; this is a high-confidence exploitation indicator when the parent process context confirms CrewAI. Log sources: auditd EXECVE, eBPF process monitors, EDR process telemetry.
Sigma Rule 003 — Outbound HTTP to Internal or Link-Local Address (CVE-2026-2286, HIGH).
Detects outbound HTTP/HTTPS connections from a Python/CrewAI process to RFC-1918, link-local (169.254.0.0/16), or loopback addresses. In cloud-hosted deployments, connections to 169.254.169.254 are unambiguously anomalous and should be treated as CRITICAL regardless of the rule's base severity setting. Log sources: eBPF network monitors, EDR network telemetry, VPC flow logs correlated with host process identity.
Sigma Rule 004 — File Read Outside Expected Paths (CVE-2026-2285, HIGH).
Detects file open operations by a Python/CrewAI process targeting high-value paths outside expected application directories — process environment files, SSH keys, AWS/GCP/Azure credential files, Kubernetes secret mounts, and .env files. Requires filesystem audit telemetry (auditd file access rules, eBPF file-open hooks, EDR file telemetry).
YARA Rule 002 — ctypes in Agent Output (CVE-2026-2275/2287, CRITICAL).
Scans agent output log files, SIEM log archives, and incident artefacts for ctypes patterns appearing alongside CrewAI execution identifiers. A match in agent output logs or forensic artefacts is a high-confidence exploitation indicator. Lane 3 (hunting/heuristic).
10. Mitigations
No complete patch is available as of 2026-04-05. The following mitigations are sourced from CERT/CC VU#221883 unless noted. Operators should treat these as non-optional until a confirmed fix is published.
M1 — Disable Code Interpreter Tool (highest impact).
Set allow_code_execution=False or leave the parameter unset in all agent configurations where code execution is not required. This neutralises CVE-2026-2275 and CVE-2026-2287. It does not address CVE-2026-2285 or CVE-2026-2286 (CERT/CC VU#221883).
M2 — Enforce Docker availability with fail-safe monitoring.
If Code Interpreter Tool must remain enabled, ensure the Docker daemon is reliably available and monitored throughout the agent's operational lifetime. Implement health checks that detect Docker daemon failure and halt Code Interpreter Tool execution rather than allowing silent fallback. Note that this is a partial control: CVE-2026-2287 specifically concerns runtime failure, and the vendor's planned fail-closed configuration option does not yet exist in any released version (CERT/CC VU#221883).
M3 — Validate and filter agent inputs. Restrict all externally sourced content before it reaches agents. Implement a content review layer for documents, web pages, and external data sources that agents ingest. Consider allowlisting permitted tool invocations at the orchestration layer. CERT/CC VU#221883 recommends restricting agent inputs as the first mitigation step, as the prompt injection entry vector is the precondition for all four CVEs in this cluster (CERT/CC VU#221883).
M4 — Apply URL allow-listing for RAG tool endpoints.
At the application layer, restrict the URLs that RAG search tools may target to an explicit allow-list of permitted external hosts. Block access to RFC-1918, link-local (169.254.0.0/16), and loopback ranges. This neutralises CVE-2026-2286 at the application level until a code-level fix is available (CERT/CC VU#221883).
M5 — Apply OS-level path restrictions on the CrewAI process.
Use seccomp profiles, AppArmor policies, or Linux DAC controls to restrict the filesystem paths readable by the CrewAI process to the expected application and data directories. This limits the impact of CVE-2026-2285 until a code-level fix is available (CERT/CC VU#221883; RAXE assessment).
M6 — Monitor for patch availability.
Monitor CERT/CC VU#221883 at https://www.kb.cert.org/vuls/id/221883 and the crewai PyPI page at https://pypi.org/project/crewai/ for updated vendor status and new releases. The vendor committed to adding ctypes to BLOCKED_MODULES and adding a fail-closed Docker configuration option; a patched release should be confirmed before any of the above mitigations are relaxed (CERT/CC VU#221883).
11. Validation and Confidence
Assessment Confidence: HIGH (92%)
| Aspect | Status | Detail |
|---|---|---|
| Vendor advisory | Confirmed | CERT/CC VU#221883, published 2026-03-30; vendor statements for CVE-2026-2275 and CVE-2026-2287 obtained during coordinated disclosure |
| CVE assigned | Confirmed | Four CVEs assigned; NVD records present with CISA-ADP assessed CVSS scores |
| NVD Primary analysis | Not complete | All four CVEs in Awaiting/Undergoing Analysis status as of 2026-04-05; CVSS scores are CISA-ADP assessed throughout |
| Patch available | None | crewai 1.13.0 (2026-04-02) contains no security fixes; no fixed version confirmed (PyPI) |
| Public PoC | None identified | No exploit code in any advisory, registry, or public repository as of 2026-04-05 (CERT/CC VU#221883) |
| Exploited in the wild | Not observed | EPSS scores 0.039–0.054% as of 2026-04-04 (FIRST.org EPSS) |
| Source reliability | A1 | CERT/CC coordinated disclosure; direct PyPI and FIRST.org API verification |
12. Source Grading (Admiralty Scale)
| Source | Grade | Notes |
|---|---|---|
| CERT/CC VU#221883 | A1 — Reliable, confirmed | Coordinated disclosure; reporter Yarden Porat (Cyata); coordinator Christopher Cullen (CERT/CC); vendor statements obtained |
| NVD CVE records | B2 — Mostly reliable, generally confirmed | CVSS scores are CISA-ADP assessed (Secondary type); NVD Primary analysis not yet complete; flagged as such throughout |
| FIRST.org EPSS API | A1 — Reliable, confirmed | Direct API query; data date 2026-04-04 |
| PyPI crewai release history | A1 — Reliable, confirmed | Direct registry query; 1.13.0 confirmed as latest stable with no security fix entries |
13. Detection Rules Reference
| Rule ID | Type | CVEs Covered | Severity | Log Source |
|---|---|---|---|---|
SIGMA-RAXE-2026-049-001 |
Sigma | CVE-2026-2275, CVE-2026-2287 |
CRITICAL | process_creation (Linux) |
SIGMA-RAXE-2026-049-002 |
Sigma | CVE-2026-2275, CVE-2026-2287 |
CRITICAL | process_creation (Linux) |
SIGMA-RAXE-2026-049-003 |
Sigma | CVE-2026-2286 |
HIGH | network_connection (Linux) |
SIGMA-RAXE-2026-049-004 |
Sigma | CVE-2026-2285 |
HIGH | file_access (Linux) |
RAXE-2026-049-YARA-001 |
YARA | CVE-2026-2275, CVE-2026-2287 |
CRITICAL | static file scan |
RAXE-2026-049-YARA-002 |
YARA | CVE-2026-2275, CVE-2026-2287 |
CRITICAL | log/artefact scan |
MITRE ATT&CK mapping: T1059.006 (Command and Scripting Interpreter: Python), T1078.004 (Valid Accounts: Cloud Accounts), T1590 (Gather Victim Network Information), T1083 (File and Directory Discovery), T1552.001 (Unsecured Credentials: Credentials in Files).
MITRE ATLAS mapping: AML.T0051 (LLM Prompt Injection — prompt injection as chain entry vector).
CWE mapping: CWE-749 (Exposed Dangerous Method or Function — CVE-2026-2275); CWE-749 applies to CVE-2026-2287 by the same mechanism; CVE-2026-2285 and CVE-2026-2286 have no CWE assigned in NVD as of 2026-04-05.
14. References
- (CERT/CC VU#221883) CERT/CC VU#221883 — https://www.kb.cert.org/vuls/id/221883 — published 2026-03-30; reporter Yarden Porat (Cyata); coordinator Christopher Cullen (CERT/CC). Lead source, Admiralty A1.
- (CVE-2026-2275) CVE-2026-2275 — https://nvd.nist.gov/vuln/detail/CVE-2026-2275 — CVSS 9.6 CRITICAL (CISA-ADP assessed), AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, CWE-749.
- (CVE-2026-2285) CVE-2026-2285 — https://nvd.nist.gov/vuln/detail/CVE-2026-2285 — CVSS 7.5 HIGH (CISA-ADP assessed), AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
- (CVE-2026-2286) CVE-2026-2286 — https://nvd.nist.gov/vuln/detail/CVE-2026-2286 — CVSS 9.8 CRITICAL (CISA-ADP assessed), AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- (CVE-2026-2287) CVE-2026-2287 — https://nvd.nist.gov/vuln/detail/CVE-2026-2287 — CVSS 9.8 CRITICAL (CISA-ADP assessed), AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- (FIRST.org EPSS) FIRST.org EPSS API — https://api.first.org/data/v1/epss?cve=CVE-2026-2275,CVE-2026-2285,CVE-2026-2286,CVE-2026-2287 — data date 2026-04-04. CVE-2026-2275: 0.039% (11.9th pctile); CVE-2026-2285: 0.054% (17.0th pctile); CVE-2026-2286: 0.041% (12.7th pctile); CVE-2026-2287: 0.043% (13.2nd pctile).
- (PyPI) crewai PyPI — https://pypi.org/project/crewai/ — latest stable 1.13.0 (published 2026-04-02); PyPI release metadata does not reference any of the four CVEs.
- (CrewAI docs) CrewAI Code Interpreter Tool documentation — https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool